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(57)Abstract 

PROBLEM TO BE SOLVED: To guarantee and verify 
the genuineness of a data file by processing a sign file 
by using a computer system to judge the genuineness 
of the sign file. 

SOLUTION: Identifiers are generated for respective 
data files (ST404). Then a sign file for listing or 
compiling the identifiers is generated (ST406). This 
sign file is electronically signed by using sign 
algorithm (ST408). The signed sign file is sent to a 
receiving user and shown or made usable (ST410). 
The receiving user verifies the genuineness of the 
signed sign file which is sent or made usable at the 
time of reception or access (ST412). Then the validity 
of the electronic sign is determined (ST414). Then the 
identifier from the sign file is stored (ST416). 
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(2) 

1 

^y r^Mm.y'- ^yy ^ )V(Dtci^<DmmM^ 

yyA ;KDKIEi4?: WK-r S/c^tc n > t- ^ - i» 
U7.'9-i^^^\jXm^yyA)\^^^mfi>lM^^^ 10 

-5-C. 

i^oiamsiJ^iigg^ yyA ;i/rtcDig^iJ^^=lrtkl5lxS 
S/cesbtc a > f :x - 1> i/;^ X A ^rifgffl urte 

^yyA JKDig^ll^il^S^ r -f -"KDgjIiSlJ 

!fK:S#-r€.Ci> <Dil*>e.^^$n^i}>^r< i^) 1 30 
^^il^<!:*s-SS:L/)&:l»t#. WiC^tsli^. 

f ^ - ^ r § n -s> 2 ~it*9 4 © t ^rn*^ 1 

> f ^ - f L ri^ET"- $ 7 T ^l/F*? 

(omm^i^i^m^y y ^Ji^Q^mm^i^tm^-r^mx 
mifi. m2<D7'--'Siy y ^)i'i^>(tLxm'om-^tii>. 

[fi^Ji 6 ] 5ttf -r sf««3i<D«,i-rn*i 1 -piciBtss 40 

n/c. f'-^OMiEtt^MiiE-r-Sfc&CD, =7>fi-ii 50 
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[ is*^ 8 ] 5fe^f -r sft*3a©fc-rn*> 1 -owsisis 3 

^x- 7 r ;urt©^)SiJ-f-*feW«-7 T ;urt©g[ 

^Ij^^-itb^r ^.igX?i», -9- 'J i'TtS?" :t 
lJ-AT;Un*';XA?:ffll^T l-5Ja±©te»J^?r5^* 
i'f.sxg*, Mtc^tf^ii. 

1 0 ] M7-r^m^m(Di.>-rtii)^ 1 okibss 

Sn/c. 7'-^©XiE14€:^iiE-r-2)fc*©, a^b'^- 

a? f § n :&ffi-c * r . 

Kx- T >f .'Ui^S^ 7 r ;U<!: ^SWIX'S^fl 

yy^fi'tmm^yy^)i'=kmm-rtiM^. Mtc^t? 
ifi^ig 1 1 } jfeif •r'5ii3}S]i©t,i-rn*> 1 oKnats 

mf--^yy<3\'n<o^Wf-\i^. m.^(DmM.. v-^v 

^<0'J>ti: <thl o?r$*> 

^K:a"Sw. luiBiE?«©igSE> BfliB-y-w hiEB^. mriBv 
7 h -i? * rKflJ#©^SiH^. mflBlf V^<D'pt£ < i 

iE14?r«liE-r-5.fc»©, 3>f:x-afr*^3n^^ffi 
^7^— f 7 r -r^v^lr^^^ fjt-a?i';^f-AK:a^'i;>a 

(brand) Xfi> SO'i|[T-:/U h 
SX?i?r^tf. 

CiS*]B13] 2K:fBSg$n/c, t'-:}'©* 

r -r ;l/3!)Sg[n > fa. - $±-C©||if {C>!* L/TSW Atx'BJ 
tld»g*^=&9lS-r'5>XS. 5^«©f'-af7T-<;l'*SBif 



(3) 

3 

ia 3 > f - if ^^(DmiicM u r An njgg-r-nc t ^ 
1 4 ] n*^ 1 3 tciatg? nfc. f'- ^©k 

iEtt=&^iE-r?>/t«)©. a^f^-ir-cii^sn-?):^?* lo 

?rg5}4brCia*iS*i«:^S-r.5Xg<!:. ^^^cSi^JJS 

[iS*3Sl8] if^:^! 7tciBt83n/c, •r-d?©K 40 
iES?:«^E-r€.fc«?)©Siar*or. iga>fa-a'-> 
;^7"A<&<i&ffiLt:ig7^-:> 7 7 -r;UF«9©gia«a-?^SS 
«7 7 'r;i'rt©^J?iJ^<tltl5-r5/c4?>©^a>>'N-u- 
^ft*. g[f'-5»7 7-r^l'©g[iagi|T-iSS«7r-{^l'© 
KiaSlJ-?^<!:*S-i^r-5i^. g«3nfc4>©<!:L-CS-r 
-5'^v-i'-r-5/c*©v-*?:$tf. S^Ho 

[iS^Jl 19] f"- i'©SiE14?r«liiE-r2>RS©<gffl© 
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;^7^A-cJi(T© 

a) 'J>tj:<th irxo'f-^Vy AyVLm^VyfiX't 

b) =«>f^-$ix;^^A«:<igfflOr^g«:77-<;U* 
L/SS« :7 7 -f JbCKiEli^W^f-r C i . ?r 

[iS*^20] i»*^i 9K:iBiS3*ifc=i>f*-:> 

fS:3 > f ^ - if A L/ rigf'- 5f 7 7 .»l/F*9 
©^53ISIJ-^*^S«7 7 Y^L'f^©®[iSSIJ^<!:l:b®LS7' 
7 7 -fiU©KiEtt?:9i^-r^/cS!)©^a^t?*o 

Xr-A>&^fflLrigS^SrS€:5!iaU»§«7 7 ^>»U© 

n i/ 7 A n - K Htc^tf ^fi!^. 
[i»*]S2 1 ] i»*:S2 o-r-a'^6nfc3>f:x-^ 

y ^ AiSi^r S> -o r , 
ig=i>b*A-5fj^;^7=-A?:fiMLTig7'-i':7 7 -f-'H^ 
owm^l^^mm^y 7 '(';i'rt©^SiJ-f-<tJ;t;©-r-5c 

<!:«> S7'-3?7 7 -<';l'rt©igia«l|^F<!:itW«7 7'C-»U 

^©KlSSO^^iAs-gc-rSit. K7'-3?:7 7-r;U«rg 
S3n/i:*>©iL-C-7-i?-rSC<!:*^tf. fc*©3> 
b-^-5:rDj^^c:7*ai/7A3- K^fgtc^tf^igB). 

[^HJ©i^ifflAj:gi?g] 

[0 00 1 ] 

ra©x-5'©ftWtcK-rs«>©f J;Os$ifflK:«. 
2|s:^HJ«. 3>b-a-$'>;^7-A±-c*{i8l3nrt»Sf 
— 5f©KiEi4 (authenticity) ^rffiiEL (secure) t.fc 

[0 002] 

[tS*©S{i|5] -Od?-^^!' hiti-o/c*^ hC'-i'^b 

snfc3>b-^-:>iS^©AM*;iii5<ii€.«:on-r. ^ 

W3n-Cl^2)m$fi*^^!^c (secure) h-?- 

^{tsnft:^ :> b-* - ^fratcfct^reiH-r 

— tf*5f^-$©jf$^-Ctt#S5rffe©a— tftCiM-Siif. ^ 
lt^©:3.-1ftC<!:-5r. ^»m.-ofcy'-iii!fi^^iP<D:f3 

[ 0 0 0 3 ] -g-©^^. 3>b-^-d»;?^ -;i h ■7-i7-tsffe 
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tJ. Hl^tCtJ. j^v'G,-V>'¥Al>s.y.V (Message Oi 
qest) T>rl/3 yXAiRS ABg-^TJUrfyXA^M^^ 
m^\t. MD5 <l:RSACDffl^-&t)-tf. MD2<b 

(Redwood City) 42 — S> • f — • 42 

^:x^}'r H (Message Data Security) tt:^^6A^°It6 20 

T;U=f';XA-CA^o DS ABg-^fbT^VrfyXAt^. * 

Wi^ccattcc J: o r K 6 nj^c Bfi^cD/ce?>R:fflc ^ ^ c i 

[0 00 5] RSAr;U:3 UXAf^^CD^ ':;-t2->> • y 

(7^>?^;bg€, digital signature) J ^^^T^tt 
te (capability) *^Oo ^^T-S^^. S:*^fl^^«. :i 30 
-1f?!>^St:fgXr>/cf'-:$?7T^>^KZ)Ui^ (source) 

x-:5r(DJ^Slj3^cC^# (seguence) "C*^. 

rcDa--if (FH^tf. {lA^^tt^aif^i^cC^) t:^^ rfAfl<j 

+ - (private key) J r^gg + - (public key) J 

^n/c^i-if tci: o r <^ 5 ng«r ;urf <; xa ^fflc^ 
^(D^^S3!;s-ecDfi.eg+-r'iiJotiisn/c) 

^^il-r^/cafttc, cneoffioa-— tf«:j:orffli^6 
n^ct*5ft^„ :^liyn-fe>^ti. (^Dg«rji/rfg 50 
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[0 0 0 6 ] m^«^r^^rf';XAtcj!jnx.r. 
a^So cn6<DTJUn»;XAii. r— T^f^ 

^^ V v'jlHSS: (one-way hashfunction) J LLX^htl 

^i>^^^tlXi.^rj:l>Ct^^Kr^fci^(fCimx^ 
-So L'f)^Lrj:'^^. ^^^:;iy^mmt. m-^^'ttl^m-yfc 
l^o/c, mMLfcy 7 '<)V(C-O^^XCOio]mi>:3.^'^litiii^ 

rhhmmx^rj:i^ti>'>}^.xmmmi^{tm^^rixi^ 

^(OmmmSit LXi^'oXi.^^^.^mRLX:h< . 

[0 00 7 ] A>^-^^y ht\.^'^fctmm(fC:t-y'> 
X'^^:^V'r^(^Xl^i>^y hy-i^^l^MLXit. ^ii 
m-^fcy'-^y r A ;V^i^^(tC^iL':>X^nf^tmTEX 

i)^. 3>b':x-^:7"p^^ A. ^"yy ^ y f^:^ 
^K. t'T'^, :^ti3>t:'^-3?i/;<f'Art 

aiL/Ccfc ^ J^jr^^T Jl^r3*y XAXt*Bi-^{bT>'Urf i; XA 

tf. -ecDr/ny^A7&sa.-if(D3>fjx-^^'^ -<;u;^ 
(tCmt^^i^^ha-(<D:^m (Troian Horse) ^^^'rli 
-SiB^CD-C. a-'!f<DrJ>fc*^-:5z>'X7^A*V:7 h 
'i; i T :^ CI y ^ A $ 6 -r t c 5t Se o T ^ CO 7* n 7 A 7!»5 
{fUr # ^ tiKS^^ ct r it ^ n/c c <b ;:>5SiEr ^ 6 i 

[0 00 8 ] WJ:mitt. ^li^<D:i-'*ff)K &^(D::iy 

mj^m^f-^yr A}\^. '^U'r^:^Vy 7 A)i^{^< 
um^'f- ^yy^ ;i/?&miEr $) i seh^t -s c i *a 

ia/ctti^AfetDOiSl"f'«f4«:g80&^-2>i^^7^+ 
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[0009] 

ii»I]<Z>fi^w«:>S>H:f^ (place) o COMMlit. l^<r>f)^ 

(World-wide Web) <!: l/t:^06n^> -T >^ hcDllJ 
m-^mSir^t. :x-1frS(Ci6l^^0r^<O (multiple) 

(DJ:^fj:^^(D7'-^yr^Mt. J a v a'"T:/U 
h (Java applet) il^o/c^:/i^^ hJgrSlCDVr? h 

(7^-^:7 7 >f;l^^#tf) 2 0 Offl4>cDJ a va^^i^^ 

:^yr^)V^^tst'r^t. F >;,:7■:3>t' 

[0010] U-dX. mtriXi^^^Ctiit. -r-^^r 

[0 0 1 n 

tctkm-r^fciiXO. cfcD^mW^c:&S. ^SteJ:C>*i^ 
^r^t^^AcC <ti>l rxD^f- ^y^^ ^u^se^T -5 c i 
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[00 12] 1 o<Diiis^<bL-c. ^c?:)f'-a?7T>r;u 

ttcr"-^ (DMJE^^^m-r S C <b < i 
4> 1 -iJOIiEB^cDiSiE. miiat^-r HESJ. m[fBV7 h-^x 

[0013] *^?^cDSiJcDffiMr«. ^^^53^JT*^^/c^^ 
;^j:< 1 ocd7"-^:7t ^;Uch. mi^^t^cm^xf 

yy-i^ (verifier) '^y y A }\^^oy^l'\=i- L 

(comparator) t^^ts. %\\(D'^WS^^^\.^X\t . ^<D 
a > U - ^ y N ^ ^ifcT rf y X A 

is. 

[0014] *^H^co$6tC«rlcD||(M^*>l^rti. tM^\ 

^ T >r ;KoKjEtt^^iE^s/ci?>ccffl:g s n-s n > f 

M.^ritc-<')yy A'^t^^t^o ^^^m^cisi^x 
FiiBj, 'jy h^:^Tms^<Dms\\j'. ^^z^v-^ 

h^<D'>iS(DCl>U< thl-o^^^t^, ^<D<k^rj:ms&m 
(^i^i^^xfit. ^ V y y -^[tmM^^WE. -^^hMm. 
yy h^:^Tm^<Dms\]^. *j<kafif-< FScD^-i^cD 

Mtry'u y hx$)K>. ^')yy Ar\V7y'\^v vvLzf 
7>F^ffCt. K^^(OT vy'\yvV^m'^i'^h1c}b 

[0015] ^^^gi^nwiot^rcos^feSffM*. 

[0016] 



(6) 



(Oy^m. gg*5j:2>'ia«9 (product) ^^Mt^o * 
?>'£^mf)^tj:^\ -e<DRt?9^C. lotDSlJflO (separat 

[0017] COfc^. ^^m<0 1 ':>tD^JSF9^KL/ 

yr^)\^^^c;^hm.'^^\^^'f-^yr>()Vfy(om^\\l'iiC 
imx^^. tiler" -^y r ^ )\^^(om^\^tm 

&yr^)\^P^<Dn]t^tZ>m^\l-t-^'fi>Uh\it. XiE 

xhhti.x^iD'f- ^y r Mmm^tin^o -r-s 

[ 0 0 1 8 ] 0 1 ti. f^-^?I5S;<Dlffa^SC:f^:x-if 
<Dn>fc:'^-5r>';^'rA 1 A t^l^^ hfc^^c^ - ^ V 
>^ 1 6 W::bfc-:)r^S^5n/cai^:3.-1fCD^>b•^- 
§C:f^:x-1f(Dn>t*^-5?t^;^f*A 1 4t3:. 

xyr^^-^ ^9-^7 (LANs) . m^^vr^^v hy 
-ij7(WANs). h J SU<ti rx>7 50 
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[0019] m2{t. SI tfSfcti 

- 1f CD c ^-rn^cj^T^^^ r t ^ A^e^ ;a n > f ^ 

7^A2 0t^. :3>t:*^-^'^^^^^S^I^9*/^Orr^- 

:x-5?r$)or *>Ml^o :3>b:x-^>^:;^f'A2 OCJ. 
l-^tl±CD>''a-fe-^'9-2 2. 3Eietg2 4. 2^XiBtg2 
6. i-oiu±cDA:ti/ai:b ( I /O) r>'^*-r;^2 8. 1 

oi^±cr)^*> hy'-^7ilfif^>r^'-f'X3 0. loJa±CD>'^' 
X 3 2 *^tf . 

[0 02 0] :7*n-fe-:. 1^-2 2{S, 3>b"^-^^^^^ 

:7> .:^:7'rJ>b*:x-:$f. »7-t57X7^->'H ^ -Oy 
u- An > b*^ - ^TrtrM^n-^ J: ^ V ^ d -r/n -fe 
ct3i^*!iil^g (CPU) . v^i7Dn>hn-5 
r^Of#^o ^/c. :7-n-fet:;it2 26i. 1$5£BWn>b* 
^'-^SL< 6*7^:7 U-Ar3>b'^-5?. 

mmmci^ioti ^yu^^vti^-^ fcu^<D y^u ^^^^ 

[0 0 2 1 ] >^^-X3 2 6*. 2o«±C0-^- FPaltCfcl^ 
6o :7'ci-fe *;'1^2 2 ili-^jTc. X63:, f^SB^ 

3 2^^m^^tscti>x^hctt^w.m'^ti^. 

tf)^X^^. 

[0 0 2 2] iialS2 4 [mmff)(^itt. X- ^^(D^SS^fe 
<i:iy^^*CD/ci?>CC^ix.ri^€>o ifBlS2 463:. MUt. 

^>i^Ar i7-fex>-=ey (ram) i^^iHilicDlnlsSr^ 
±fBiS2 4t3:>'N*X3 2*/rLr. y'a^yV'2 
2 i -:> /cffe(Df'>'>V XX63:lp]gS^cfc o r r -b ;^ ^ n 

[0 0 2 3 ] 2^XietS2 663:. mm^^^fOiti^-^COiim 
ti^rj:mmRv^mm<Dtc^(fCm^xi.^^. 2;>:0Btg2 6 
63:. m^iit. m^r'^X^h^'y^^. m^r'-y'h''7^ 

X. PCMC I A:^- K<f:l^o/c^2Sf*y^»A X63:|^ 
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11 

> e ^ - ^ :7*p 6 7^- ?:T -fe L/X 

[0 02 4 ] xmt^y'^<^:^2B{mMmf^\it. ^.-tf 

*>-C^^. Affl;t^7^>'^V:^2 8ti. /^'>^3 2 €:/M.r. 
[0 02 5 ] ^^-^ h '7-i?ilfif'>'^VX3 OtJftMWCC 

hv-i^ ' zi^^^iyBly^m^^-C. :7•^•fe-^t^2 2ti^ 
ifcD^m^^tifSffl b ^ c <!: r * 30 

[0 02 6] 03 (a) ^i. *:^igcD^^tCSe^. T 

(iBii^ifR^f) (Dr'-^m^s 0 0 (ommm^ 

mS-. r'-^m^S 0 0 fit. m^yr^)\^3 0 2t{^^< 
-z>ib^<D7'-'^y r-^Jl^S 0 4-^3 I 4 t^^t^„ y r 
;b3 0 4-3 1 4{i. HMcof't^^Ji^t^y h^ThJ: 
<, mtf. J a V a^"d7^X:7T>f;^. r 

[002 7] 03 (b) tJ. m^y7^)\^3 0 2(DMzi^ 
m'C$>^o $>^^m(^C^^>X{t. m^yr^)\^3 0 2 AO 

$nfc*SSWtc4cJC^r^i. S«-7t^;^3 0 2k:ti. 
-^:7t -^-fUS 0 4-^3 1 4(3[)§^<D/cS?)Cr)^Aj:< i 4> 

io(Diii«ij^3 1 6^^t?o :ty'^>B>tLx. m^y 

tH';L'3 0 2«. 7^-3?:7 r-r ;l/3 0 4-3 1 4cdS^ 
<D/cd5cD«JjnWrj:7^-^3 1 Sh^tsCtf)^Xti>o m 

x\t. {^mmuf-^3 1 yr-i^vo^m. yr 
^Mm^s :7T-f;KDSf^. yr^jKomm. yy^ 

mm(D\y-V{-^m . ^/ctia^1f7&5g;S:7T^jU3 0 50 
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[002 8] T >r;l/ 3 0 2 tJ. ItSOT- 1 D 3 2 0 

im^^ 3 2 2 i ^Jg^c^tfo I D 3 2 Oti. 

^ T 3 0 2 CC^JIH 5 n/c-^O^^iO D ttJT/cft?) 

*a«-rSo '§^«3 2 2{*. ^cog«:7 7>f>»U<D/c 

« 3 2 2 (D^fi^ti. ^n^iIJ0t^^-r;^c«)^cfflc^6n'Sg 
{oo2Q]m4u. ^mmmmm^mK i-^t^i 

cD7^-i^:7T>fJU^^^-r'5j^c5?)CDy;r'">:7'4 0 2*^ 
t^'1jm4 0 0^mn<'t^o ^^7^^:^:7*4 0 2 tJ. 

^"yy A -J ^T^y'u^'ylK^ ^"yTsy T A}\'^y'^^'y 

[0 03 0 ] ;^7^':^:7*4 0 2n ^X^XiiJDf-^y 7 A 
;U*^b/c6. 7.'rv':r4 0 4\t^n^(D'f-^y7 

:7'4 0 4r^^^tl/ciSy3im3:. -:^[^^^ t^r^K^T 

tctf-^^d? »; ^^i^TCgti^x A (CRC. cyclicre 
dunduncy checksum) ^CD?f5^^ i ^ C <!: b 

-^©^r^J^c-:^rfi]^^*>i^:xga^TJ^r3yXA 

S H A <i: t i /c— ^ mSCT )V =3* U X A {tm^ 

[0 03 1 ];Xtc. •;r-7*4 0 6^3:. Xr*':.:7*4 0 4 
r^ats n ^ i ^ nt^SiJ^^^JIB L . ^ 3 >^ w ;l. 
r^m^y7>[)\^a\]K)m^ct^^ts. m^yr^ji' 

xhXi^^o ^y't^BiytLx. m^yr^M^. 

\t. ^yr^)i^<D^. ^y y ^ )\^<Om^^. yy^JVCD 

f&B. yy^)i(OBii:^^>y\ &7=-^y y ^ )\^i^m 
^s■r^^ficD'r-^^Mtc^^-c4>cfcc^ X7^>'7*4 0 6 

i^^^f^^. /ct'O (hU-XL. trace) . ilJRO. « 
26. ^ti^^S (render) l^Al.<Dy'XJ^^ M.^^tsC 

tt^xti>. 7.f^yy'40^\t. m^\i. j^v^^-v 
x'f-^y y ^ )\^^^m\^m^u'M\]^Rum\mu'f 
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[0 03 2] -H. m^y 7 -()\^m\\^Wi^tifch. x 

tf. RSA?:}^oMD5. < «R S Aj^oMD 2 

-^^mti,xm^T)\^di')X2.^m\^>xm^y7^)\^ 

(Schneier) ^#ffg-»f<J:) o 
[0 03 3] X-r-^:/4 0 8 7&>6<DS«$n/cS«r7T 
-iMt. ^XCc, ;^f'^^r7*4 1 0^cfcCit:S:t:f^^-1f^ 

^t^. >^7"';^7'4 1 OtS:. m^^tlfcm^y r ^ )V^'f 
7^-:$? »;>i57^ ^ > ^ fte(Dn>t* 

^r. ;^7"-^:7*4 1 0 63:fi^^ti. r ^^H-^^iE 

t^f^^^r^KIBtgJg^cD J: ^ > f ^ - ^ -C^^iA 

- ^ 6 SiJcD:3 > t' :x - ^^tft-r -5 C i ^^tf C i 
-C^-SCi^Jf^igiSj^n^o 30 
[0 0 3 4] §t:faX0XtiT^-fe:^O<i:#CC. ^^rvy' 
4 1 2CC*jCi'^§t:t^:i— !ft*. Xf'-^:7*4 1 0^*51^ 

[0 0 3 5 ] :^f'-^:/4 1 4^3:. :^4 1 2 "C9i5£ 

Sn/c4>0<!:bT1l^-S«CDW^tt (validity) 

4 0 0 ^i^T-r-s^^^^xt^ffifeS-r '5?&^<Dii-rn;&>'r*eg^ 40 

^^r^n-r. :^ffi4 0 0«:*BrT^i7&>X«liliet-^ (pr 
eempt) ^"^^Wf^t^^tlh—^ri. tfcm^'^ 

(Dm^yT^)V(0:^Ty:f4 1 2(fC^^i^^<0^W[f)^^ 
^LfcCt^. $>^yj&:'C^mL^L<^tm%iU. ttc 
{m-r?> (address) JSiJ<D:?'P-feX. F!lx.«S^SU< 

^7.'r-j-:fA 1 4(i^tfCi?J>5-C#<bC^5Ci:?!)5i2ia3 

[0 0 3 6 ] >;f'u^:7*4 1 4^(^^355-^(0:7 T -r.'l/7&^ 
lE^-C^^ (-r^tcto^. KiE-C*>^) ^n-fe;;^ 50 
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fcl^-Cti. mglJ^J&^-b^^r^rift^ (secure location) 
^-:$7i^Xf'ACDRAM-C*o'C4>cfc<. Jtc-tf^c6C(D 

y ^ <; tj::/a >^7&5|^7-r <h t tcsa^ V r 3 

9. *^IBlg7=^>'<>r:^t3:ftfe<tt3*>J:f3^'C*^) 
^ec-r (pose) Ci^iSiaf 5^*^^. 7.7- 
vy'4 1 4'CiB1f.3n/cg€:7T >f;ucDftfflt4^tiL/^ 
/c^^IiET^/ci?)tc. ftS^it'py7>()ir^'\^:^<o^mt 

l^o/c. 3 e>^C^*fe+:x Ut^-t C7>:^ai (measure) $r<j6 
[0 03 7 ] ::^r'-.^r?'4 1 6 r^^iJ^T&^-br^ ^Tift^^ 

^ilB$ti/c7^-^:7 T ^M^:^'Tyy'4 i Stc^^sn 

T^yy'A 1 8t^. ^^x^s:. g^7T^;i/tc?UfB3nrc^ 
-SfiSO^CD^^S-^l^'C. XT'*:.:7*4 2 0^A^@ii€: 

m^y r -omnzstifcnmom^i'^f^^^^ (^ 

^±tfLSL<tm^OCC i =n7&:»6 i = Uc^^JiCf 

r^c<h7ti5r*. x^i. t^Tcc^«3n^i:^cc:^a4 

0 0F*g(D^0OXf-^':7*^-^t>-l±T. 7^-^7:7t -('^UCD 

[0 03 8 ] X7-^r?'4 2 Ofit. iSgcOf'-:S? 7 T-r 
F-r^T^Ci^^i^. XT' :7*4 2 0 ti. ^ 
Aiit. ^'^^n-FL. T-^:7"n-F0. EIB#iifiL/ 
(broadcast) . tMtS hWtl^t i mm<0'f- ^y 

a?>^XT-:r^4 1 0F*9CDffi:gCD:^ffi^^T*^^o - 

a. i sscDf'-^ T >r;i';ij5n- Fsn/c6. xf--.' 

y4 2 2ti (^(Dr'-^y 7 -Oi^Ofci^f^) mWJ:^^^l 

[0 0 3 9 ] ;^tc. :^7^yy'A2A\t. :^7'-jy'A\^ 
r^^m^tifcm^y 7 i^m<07'-^y7 ^ 
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To 

CO 04 0 ] Xf-v:7°4 2 6ti. ;=^7^ -.^ :7*4 2 4 
SgCDf"- 3? :7 T J\^<Otclt>(Dl^S^llrf)^:^ 2 4 

>^^L (Ef1^^^t:f. marking) . ^tc{t{^(^f)^<Dyj^V 

mr^o :^f'yy'4 2 Silt, m^iit. imm<o^-^y 

[0 04 1]—:^. imS<Dy'-^yr'<JV<Dfci^(Dm 
mi^tmiEUh<Dt br:^'rv'^4 2 4VmWE^n^C 
tf)^r^tfn^t. ^(Dt^:^y- ^-^4 2 6iit:^7-y-:f4 
3 0(^MtsCt(,cJ:r>X:^r'vy'4 1 8(DmK^iEL)\^- 
y'^^mt^. :^'ryy^4 3 0{t. ;^7^';^ :7'4 2 8<&iS 
C:t^/cXr '>:7'4 1 SCciMjfr-SJc^ic. h^i^mx:^ 20 
f'-yy*4 1 8Cr)i^0iIL>'L'-:/^*IK-r^C<!:^^tP. 

x7"-:^7'4 3 oti. mx.\t\^m<D'f-^y 7 -< >\^^m 

i ^B<of-^y 7 )\^i)^%\Evf^\.^c thip 
<%zmhtfcmm>fc^i^. sw:^Tyy'^i5m4o 

[0 04 2 ] CCDcfc^tC. ilBcDr'-i^^i^fcctO'Xf' 

1 y y -()\^^m^mhmc^<Dy y ^ Mcm 

K?i. hybrid) t^^^'P-feX^, g:S>''n-feX<b 40 

[0 0 4 3 ] Jrax.r. Xf'u;:7'4 3 0^3:, Xf';':7'4 2 
4^:teC^rKiEtt?:^iE'r-5A:*^. i*^6nri^-Sn 
-F?:*ii:-rS:^-:;'*>'3>0;^7"->'::^*4 3 2. RO'/X 

7*4 3 4. --m<Ctmx^ha —a. •>:7'4 3 0 
<f:^yS/3>OX7' -:^ y'4 3 2^U/^\t7.7^vy^4 3 
4{i^7T'2><t. :^ffi4 0 0^*;^T'-:'r/-4 1 B^KD. 50 
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■e(D'*iCD^0igU>'U-:7*«:^7*rSo :7'4 1 8 (Z) 

[0044] i^m^(omMm^^^\.^x\%. m^x^fc^m 

mOfc^ifC. m^M (certificate) T&^illHiSn. 

m^y r -( Ji^\^(tcmi$ti^iAB(Dm%^\i-^^mm^ox 

[0 045] a^C0:x-if(Dzi>f ^-iSJv';;^^*^-?^^ 

m^Xfj:<. m^\tt}^)y ^)V:^r. •7'5>7^>t'^- 
r^Olf^-^-^ t57nv;;^'rA (Sun Microsystems of Mou 
ntain View. California) tf>hK^X^^ 3 a va'":/ 

^ci^t^^-c^^o ccx^f:>tifc ^yy'K^v V Hi 
BFfCDrJ > f ^ - ^X«ftSW^ t3:lt->'N';&^ e> ^ ^ r > 
h©vt^>tc{E;i6n^ (pass) ^/c 

ry^Uy h{t{^^Xyr^)lf)^f!>MMitStltc (in 
stantiate) 4>CD'C^0. ^ r -<>'Ut^. S3 

(a) ^raurai'<e>n/ci:^^C. T-ij-i^fOr"-^ 

m^^c^t^fbn^)i-y'it^ti. aiMcDrj>t':x- 
:7 h x.Ttfcmm'ojmxrj:i>im(Dmt^y'7^iryy h 

tJ?-^- XtcS^t* -5 5? A >f > ^ 7 ^ - ;^^:^tfo 
[0 04 6] ^x.6nfcr7'U^:^ h. m«J a va^** 

ry'uy hi>^T^'^::^xt^t'-^u-i^3>^mw-r^ 
^r^^-ct-So fft#-rti«. -te^^^^yT-^ v^-i;^ 

mr^fcit>ifC. msimct^^x-^?>o T':fvvvvc 
ry'x^vY^m'&thm.uhmm^xj^^v^m 
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[0 04 7] -te + ^ U^;U?:l|^-r'5/cd?)tC-fe + 
r^O. S'C^rt. ^L.<&ifia^)r^^7!;^:|:. ia)3tJ-r 10 
^ (corrupt) Ci. tC^ LTS;^^ci:oIt^?!>5^> ^ 

mo#fflTd7i^3>^5$>c:)f#^. —y^. s^r^ci^ (un 

secure) 7^>'3>ti. — ie8t)tctJ->;^r ^ U -f- 

5aur&6*9)'SDjtgf4<D*'5r^i^3>r*-5>o 

m (y'^y^^ protect) ^tlh^mV^^f h-^CDgj^ 

l0 0 4 8 ]^mM(DmmmtbX. Java^-r:?'^ 
h^^?fT#>S:/^^1ft^. WiLT^HotJav 
a'":/5*i7lf (^y :7:tJW-T. v^>f'> tr^-cDlf 30 

3>^iiffi-r6— ;*'C. «*Ktct^T:7*u-^ hti— McD 
S^C^-c t ^ T ^ 5/ 3 > ift^ $ /ct**ij*^i ^tcs&f^-r -5 

^Cl^7^7 5>3>tC>^-r^iSiE?:i2is?)^tB:^l (ability) 
SoJtgJ'cCv r^i^3>rj:cti;054>Ln?'j:CiTi7>'3>^ 
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iSi^tifc^mmffC^i^r^t. r^^f*-fb'7"^ (ffiib. ac 
tivity) ^n^r^nm^ y ^ :^^^mt:>ri. :x^-^i^t. 

&^J^cS.C^■C3ti:Ciri7>'3>?:JL'-1ftcS^L^5:l^o 

[0 05 0] ;j(:CCS5?:#MLr. ^^^BJtDliJgWcfie 
ot. -fe^^ y v^.-i/-^^fcC:t^-fe + ^ y x u 
Jl^ ?r^Sr ^ C <!: i 58iS'::Ji:f e> n X X y*^^^ ^ 

fcj:e>tc. + ^ y cj3i2=^ ^ y x -r 

©-fe^^ y -r^ u-c;!/. SiO':7^fill'fe + ^ y f-^ u 

;l/:z— >f >d?7 3i-X (cm) 0<^ffl^ilLr:x-if 
(^<i:'oXmM^ti?>Ct-f)^V^i>tK -te^^^^ y-r >r 

(0 0 5 1 ] -fe^^A y 7^-< v4^-i^i> 5 0 0K:*5Ci-C-fe 
:^f^yy'5 0 2XmM(OWM (authority) ^CM-T-S-fe 

^Ctf}^X^^o 

[0 05 2 ] WEm(O^M<Dfcit><D'\E=^ :x V l^'-Ol^^^ 
W^$tli>t. :^f^^:^y'5 0 4X^^ h<oWEmo:>tcit><D 

'y^V'^tyB^Him (transaction) ^^T^?'j:3:^ 
^7>'3> (connection) ^gaj^T ^/cd?>CC. 0f#CD1f-Y 

-r'-V' (secure socketlayer: SSL) S^SIr^n hrJ;!/ 

55?s>^ mm(DV^ h^L< km&^i^^±xtxi.^'^^ h 

(i«:igt:f ^ c <b tc J: -p-ceii-ct ^ J: ^^±rj:^^^^)V 
[0 0 5 3 ] xf^-y^^'soerti. v:7 h-^xTie?!?^ 



19 

[0 0 5 4 ] h«CDi^cS^>(D-^^ + ^ U-^Jb^^ 
r^^ U'^)l(DmM(Oy'ti'^:7,'fymT'^^o -fe=^:xV-r-^ 

[0 0 5 5] $>6mmmtrci6{.>x{t. -fe^^^n^^u-^ 

jV^Wt^-r^tc^ifC. miM<D Ti^g^^c (advanced) J 

m^imx^^. ir><ommix\t. mmomM^t. m so 

-fXSn/c. customized) -fe^ ^ V -r U^;l^^:i-1f 
^^^S-r^Ci^"SJtg^C-r^)ti?>K:. ^^y ^ti}\^:x- 
1f>r>^-:7:«:-X (GUI) ^tiA:ffi<KU/c>f >^^- 
^Ur-'f. qranularitv) OSijait?*)^, ^ 6tC. iSS 

mmmthct^mt^xi^^, mxx. -mm.w^vT^ 

filSrSt^^ (override) X^. m^\tMS.^J:^ y ^ -i 

>^^mmLm^(0'fz^:x \y^)i^xiitmnm^$ so 
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tlXt.^tj:{,^J:^tj:'^aJ^mii>^ (grant) C<h;:)5t?t 
^cCrr^y ^-^'a>**&a6^ (launch) Ci^l^L/c 

0. m^<DMm^^^^c ttjiot^ry'iy V hf)^'r^x 
o:>y'uj'^r-'<ifCr^'i2y^'r^ct^n^LtcK\. ^fcW^ 

ct^mLfc^-r^c^^t^ctfj^x^^. 
[ 0 0 5 7 ] 06^^. ^mM<ommm(rcm'^fc-m&<DWi 
m^m^^r^^^o^Aiy^-y :^-:^^m^m(fcm 

0^3:ffij^.O®^):s:/^»^1f-r>^ >'x-;^5 6 0-c^-^ 

>i^-:7:c-X560^iHotJa v a'"r^^ "i^lf OS* 

5?-:7x-X5 6 OCctii^a^SS^cDT'-^ • -i? 

^>F»^564/C>^^^. f'^X-7*U>r-'^-/>F'^56 
4CDmiCD^iS5 6 8t^. if h RO*!!?^ 5 7 0 <h if 

oJ^:^7;< ^ v-<XT^o "Applet Permissions" (T:7* 

U^:; hCDi^pJ) 5 7 2. "File Access" ( :7 y 

•feX) 5 7 4. "Network Access" (^- h 9 -^r^-b 

aiSn/cj|S6{?*lr«. SJR5 8 Olct. "File Access" 
(:7r ^;br^-feX) 574. D Tr^U -^^ b t&^T 

To 

[ 0 0 5 8 ] ^2(Dit:/$IJS5 8 2^i. M^i^titct^ 
k:. iltR^nj^c^. 0 "Applet Persmissions" 
(T:?'U-> hcDft^) 5 7 2(D3v>H;&^-:,'C^^^ 

-Y^l/ix-r U^hU5 84?:«7S-r'5o [^«CC. m3<D 

V":fmm5 8 8fci. s^ujsrppj^^-orr^'u 
ctsctm^-ryr A)i^y=H h 5 9 o^^/^u 

"CCi'So r"wam beforeqrantinq access to other fil 

es" moyy ^^^-^(DT^-fe^^^ritTfKcSS-t^ 

<fc) J ^■7*i^3>5 9 4. ^iit r^warn when applet tr 
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ies to delete a files" {T V v Y ti^V y ><;U*glM 

^^^iXm^tl^ (instantiate) :7t'/;1/. ^r^tfT 

/cHJSW^^Jl^-Ct^. T-;^>f -i/j:^ h »;-A^iJ a V a 

[0 06 0] ;:<7"-.;:7*6 0 ^OS^^tl/cT- 
:^7>r:/X h (valid) r^^:?&\ 

(D-m^ (chain) ^i^^gfi^^^ ^ i^-T-S C <b ^&f* 
nri^-5iE0J" B" K:J:oTfigiiEr^^ (vouch) o T 

[0 06 1 ] 9i^5^»5^CDS:S3&^S^-C^)^> tl^^CtU 
t:f-S (brand) J :/6 0 8 tcitOo T:/!^-^ 

(fC^t^oyry'iyy hifCm^^^i^Z/ii^'f^ (attach) 

[0 0 6 2 ] X7^->; >''6 1 2"C. '^<DT':fU y hi)^W}i'^ 
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^^tjii^^ctt^^m^^ri^t. ::^f-yy'5 I 4X. 

■ti> (trigger) "yti^t^^^tl^^ -T^io^S. X 
f^vy'6 1 4Tti. n^(OTy'\yy \'<D'7 t?l^B^^t^:x 
-^(DUTs AOO-fe :x y 5- ^ tC?tSEKjCC# <!: S9t^ 

5 fl1C7 >cr)EffltC^S S <b' ^ ;!^^or>^?:»i3tj: $ 
nSo -?'COJ;'5^j:T^>'3>tJ. :3> f^x - ^g^Jla^if 

r-A-te+:z y7*^K:?taEfi^jtcS"C*-5r 57t^3>«. $ij 

[0 06 3 ] yy'Xyy V<OT^t^B>tf^^t^rL^)r~ ^ ^ 
^ i7^fgtl|-r^^j:6. x-r ^:^:?'6 1 eccfct^r. xf- 
>'*6 0 S-e-ecOT-^'U-:; h±CCg>^)>n/c (place) :/ 

iibls-r'Scita:. ^— tf-Y>3?>^:c-x^/^L■c:l- 
-f--^ ^5:g^^x.L/ (override) ^"^OT ^ly^l^^ 

I6;:^^?>v 7'P-fexcD*iJtait3:. Ty'UvVr^iyBXO 
-^^^'Jv^ ■<i)m&^nxK>^ij^^')t^<o^^%x;h^:^ 
T^vy'BlBi^Mt^o '^^^'J'TAtm^^tiXi.^h 
<b. ^<Dry'\^yV±.^cm.i^nfczr'7iy^t^^z^:x^)f' 

ili^ffiS (virtue) CDl>-rn7!):*^S'::^# . Xt" 

^r7'6 2 or-ecoT^^'u^:^ For ^>-3>7:»^f*?n^o 

-r^t. :/P42X$fJffl)tiX-r ':^^'6 1 OCCMO. ^Lr 

>^3>^3:Xx->':7*6 2 2-rflFDlSti^i:t^o t:7'U :^Kd 
Ti>t^3>?&^:^f*plk:?n/cft. •:/p-l2XtiJ®(.3:r:/u 
V Y(om^imM.^ti^:^'rvy'^ i OCcH-So 
[0064] ry'\^v V(Or^UBlyt^7.'rvy^^ i 4 

0^M'S>o y'n^7.yxx^\%. ry'u v hf)^m7ri>c 

>;5>342:^^ >;f-^^:x: ^?:ig»)'rS<bC^^^tS5^l5Xf■ 
r:.•7•6 1 4T3^cSn. ^(D«^^luiB(D<fc^ccxr'';':7' 

6 I StfCmt^tf>. (Dl^^M^^X. Xr-7:/6 1 OiB 

1 4<DTs<o)\^''y'^mm't^o 
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[0 0 6 5 ] ;<r--y:7*6 0 Q(^^ii^m^<0§kmft(D^ 

h 7 - tc :b/c ^mm^r^fSL-r ^ct tcgga-f ^ ;^ -r -.^ 

':.:7*7 0 2r*SS-S>, iBai$n/c*6S«^ri^. mttlX 

(Dtcit>(o^m^mmm (urd tfux^i^^t^c 
X. mm^m^tix\.^^v^ h^mm^mAL^ti^o 30 

mmt^m^t^j:'yxmm^tixi>^^':>(tc. 

y^^y^y hm (SSL) mL<D (over) m^X$>^. 

^rj:mm-f}m^^riX(,>rj:i>ct:f)^mMi^ti6t. ^ 

[ 0 0 6 8 ] tf >f hf)^^rj:mm^m^LXi.^^Ctf)^ 

snSo hmmf)mm^rix{.^rj:\.^'^>( h. 0^9 
i><oipt'^i)^<o^xh^o ^(o-^^ vmmf)mmx^^ 
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yV'l 1 AX. ^(D'^A hi (;^r •>:7*7 0 4r) ii^ 

w^m^mmmum'^ (manipulation) ^m^r^:^^ 

yy'XS>^o its. t^^TLi>^'^X{trj:l,^f)i^ Cti^<D 

sti. =tss^§n/c(:). ei^$n:rc9. ffl^^^sn/c 

:sc^. r'-^mitrjit^tLx. cn^cDft-^ 
i'fhti^-^^'^(Dx$>^. ^/ccneoj^aw^ccstcsi 

[00 7 0] ^6^. ^n-E^^miUtf Ltf. 
T^Ci. (caluculate) Ct. tfSt*^ (co 

mpute) Ct. -^-^^y. Ml-r^Ci. *±^^C 

t. mR-r^ct. ^K-r^ct. m^r^ct. mr 
mmrj:mn(DmmffCi6i>x > tr ^ - ^^sgf^Lffeoii 

[0 07 1 ] 3j:^?gcD||;tet?iIli$/c. cn6C0:?h^U- 
^'3>$r^tTT^/ces?)CD$^g (apparatus) (^m^f 

tifch<DX$>-yXi:>J:i.^L. rJ>t:*:x-^rttC*Sffl3n 
/cn > e ^ - ^ r^D A tCct o r 31»?WK:ett $ n 
(activate) ^;tt3:|l1t^$n-5taffl<D:3 > -^r 

p y ^ A <bft^ $ t S's >siafflorj > - *fiwe 
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[007 2] Jraxr. *^bJ(O^JbC?iJ«. S t n 
>i:'^--i>V^M$tlh (inplaneited) t^l^ — i^a 

-7*iC^-5fc5aafi«]^7=-f T. CD-ROM-r-f ;^5'<t 
t^ofcTfe^^^e^J^f-f T. %y'-<:^i^ (floptical disk) 

Vr'-'^VX (ROM) RO'^^^'ATi^-fe;^^*'; (R 
AM) H,^r>fc-fni/'7M.^<%^^m\^'$.fcm=i-ri,fc 

^vjx^^-F. *jJ;0''0^:?'V i'?:ffi-or33>f3. 
-^^K:ck-:.rJl^fT#■Siif^K*t=J- H5:^tf"7T -TJl'?: 20 

[0073] BU3$©^?^«a^^HjB9iK:-rsaw©/t* 

30 

[0074] mr. mKowc&^mmt^r^x^-y v 

[0 07 5] 3e>tc, t»<-:)*5©-b+ji';7-^ u-^;!^© 
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©^Kffl <t o r 3 <a t -C* 
[0 07 6] 

[^?g©?9!llP^] tLhitBJLfcJ:^K:> T^-d^^r-f^U© 
[^®©fSm^tUi?^] 

[02] 02«, 0 l©:?^ ? h '7-i'^t§nft:3>f 
^ - ^JJSi^-C^t>n-5«MW'&: =1 > f ^ - '>;^ 7^ A ^ 

[13 3] 03 (a) «. $:#feB^©^ii0!l-CfflC>6n 

T-rju*s^$nrt,»^«fi£0-c$.^. 03 (b) «. * 
[04] 04«. m&y r ji'^n^tcT'-nmi^x 

[0 5] 05«. *^?B©IIJfe0!ltC^^H±-C. 

[0 6] 06». ^mm<o^mmiC'^t:>ittc, asg-ts 
A-c«^L/c^tfiS;0r*s. 

[0 7] 07tt. *^?a©*iSWC^t)i*/c> ^lE© 

[0 8] 08 K> *^?g©llifeWc^t)-»i-/c. =i>f 
hC7-i'?r:fM//cS^©Si2:fCBgT.5)::^7"-;' 

1 2-jMD^a--!f©=j>t*:x-5f. 

1 6-7=-5"J>i'. 1 4-SW^J.-1f©n>h-a- 
^. 2 0 -n^fa. — ifi^;^7-A, 2 2-7'D-fe ylf . 

2 4 "-iiBtS. 2 6-2;jCiElS. 2 8 •••AtH:^7'>'^V 

SO-^-^-^ h7-^ji<i'f>:S'-7*-;::^. 3 2 ••• 
3 0 2 - S^S^ r 3 0 4 - -7 T 'f^H , 3 

0 6-7r-^;U2> Z\A -yy<)\^n. 3 20 "^gl| 
D. 3 2 2 -g« 
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2. ClairiB 
What is claimed is: 

1 . A computEr- implemented method for verifying the authenticity of data, the method 
comprising: 

receiving at least one data fDc and a signature file, wherein the data file and the 
signature QJc arc separate, the data Fdc including an idaicifier, the signamre file including 
the identifier for the data file and a digital signature; and 

processing the signatuic file using a computer system to determine the authenticity 
of the signature file. 

2 . A computer-implemented nxtbod for verify ing the authenticity of data as recited in 
claim 1 further including: 

comparing the idenufler in the data file with the identifier in the signature file using 
the computer system to determine the authendcity of the data file, wherein processing the 
signature file further includes processing the digital signature using die computer system to 
determine the authenticity of tlic signature file. 

3 . The method as recited in claim 2 further including marfcing the data file as signed 
when the identifiers in the data and signature files match. 

4. The method as recited in one of claims 2 and 3 wherein when the identifiers in the 
data and signature files do not match, the method further includes at least one selected from 
the group of ignoring the data file, aborting the loading of the data file, and alerting a us^. 
when the identifiers in the data and signamre files do not match. 

5. A computer-implemented method for verifying the authenticity of data as recited in 
one of claims 2-4 wherein comparing the identifier in the data file with the identifier in the 
signature file using the computer system is repeated for a second data file. 

6. A computer-implemented method for verifying the authenticity of data as recited in 
any one of the preceding claims wherein processing the digital signature further includes 
verifying the digital signamre with a signature algorithm, the signature algorithm being a 
keyed algorithm, wherein the signature algorithm is selected from a group consisting of a 
DSA algorithm, and a combined Message Digest and R3A algorithm. 

7 . A computer-implemented method for verifying the authenticity of data as recited in 
any one of the preceding claims wherein the identirler is generated using one of a one-way 
hash fanciion algorithm and a cyclic redundancy checksum algorithm. 
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8 . A computer-implemented method for verifyiiig the authenticity of data as recited in 
- any one of the preceding claims wherein comparing the identifier in the data file with the 

identifier in the signature file further includes generating one or more of :he identifiers with 
a one-way hash function algorithm. 

9 . A computer-implemented method for verifying the authenticity of data as recited in 
any one of the preceding claims wherein comparing the identifier in the data file with the 
identifier in the signature file further includes checking one or more of the identifiers with a 
cyclic redundancy checksum algoridim. 

10 . A computer-implemented method for verifj'ing the authenticity of data as recited in 
any one of the preceding claims wherein receiving the data flic aiid the signacure file farther 
inchidcs transferring the data file and the signature Qle among networked computers. 

11. A computeT-tmplemenEed method for verifying die authenticity of data as recited in 
any one of the preceding claims wherein: 

the identifier in the data file includes at least one of a cerdficale authoriry, a site 
cerdficate. a software publisher identifier, and a site name; and 

the method includes setting a security level for at least one of said ceitifxate 
authority, said site certificate, said software pubJishcr identifier, and said site nanie, 

12. A computer-implemented method for verifying die authenttcixy of data as recited in 
claim 1 1 including downloading the diita file to the computer system, and when the data file 
comprises an applet and when the digital signature is verified, the method includes 
branding the applet as verified and oinning the applet 

13. A computer-Lmplementcd method for verifying the authenticity' of data as recited in 
claini 12 wherein when the data file comprises an applet, and when the signature is not 
verified, the method includes determining whedier an unsigned data file is acceptable for 
execution on the computer, and temiiiiating the applet if an unsigned data fde is not 
acceptable for execution on said computer. 

14. A computer- implemented method for verifying the authenticity of data as recited in 
claim 13 including branding the applet when the unsigned data file is determined acceptable 
for ex.ecution on said computer. 

15. A computer- impleotenied method for verifying the authenticity of da:a as recited in 
claim 14 including the running the applet and determining whedier the applet performs an 
action that triggers a security check, where in ihe security check includes comparing ihc 
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brand with the security level and allowing the action when the security check is satisfied 
- and disallowing the action if the security check is not satisfied. 

16. A computer-implenriented mahod for verifying che authenticity of data as recited in 
any one of the preceding clainis, further iacluding establishing a data communication 
connection wich a remote site using the con-iputsr system, determimng whether the site 
requires a secure connection, and detsnnining whether a site ccrtifxate for tlie site is valid 
in response to a determination that a secure connection is required, 

17. An apparatus for verifying the authenticity of at least one data fUe and a signature 
file, the data fde including an identifier, the signature file including the identifier for the data 
flic and a digital signacure. the apparatus comprising: 

a processor for processing the digital signature to determine the authenticity of the 
signature file; and 

a comparator for comparing the identifier in the data file with the idendfier in die 
signature fde using the computer system to determine the authenticity of the data file, 
wherein the processor is further arranged to process the digital signamre using the 
computer system to deiermine the authenticity of the signature file. 

18. An apparatus for verifying the authendcity of data as recited in claim 17 wherein the 
comparator for comparing the identifier in the data file ';vith the identifier in the sign^nre 
file using the computer system farther includes a maiker for marking the data file as signed 
when the identifiers in the data and signamre files match. 

19. A computer program product including a computer-asahl e medium having 
computer- neadable program code embodied thereon for use in verifying the authenticity of 
data, the computer program product including computer-readable program code for 
effecting the following with a computer system: 

a) receiving at least one data Gle and a signature file, the data file including an 
identifier, che signature file including the identifier for the data file and a digital signature; 
and 

b) processing the signature fde using a computer system to determine the 
authenticity of the signature file. 

20. A computer program product as recited in claim 19 further including computer- 
readable pnDgram code for: 

comparing the identifier in the data file with die :dcr.tificr in the signature file using 
the computer system to dctcmtinc the authenticity of the data file, wherein processing the 
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signature file further includes processing the digital signature using the computer system to 
- determine the authenticity of the signature file. 

21. A computer program product as recited in claim 20 further inchiding computer- 
readable program code for: 

comparing the identifier in the data file with the identifier in the signature file using 
the computer system further includes marking the data file as signed when the identifiers in 
the data and signature files match. 
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FIELD OF THE INN^NTION 

The present invention relates generally to the sharing of data among computing 
resources. More specificaLly, the present invention relates to methods, apparatuses and 
products for seairing and verifying the authencicity of data being processed on a computer 
system, 

BACKGROUND OF THE INVENTnON 

With the increasing popularity of networked computing environmenL';, such as the 
Internet, there has i^een a corresponding increase in the demand to provide For the 
iransferring of shared information among the netu-'orked coraputers in a secure manner. 
For example, when a user of the Internet sends information in the form of data to another 
user it may be useful for the receiving user to verify that the data received has not been 
corrupted or otherwise altered in some manner. Furthermore, the receiving user may also 
find it useful to verify that the data received was actuaDy sent by the proper sending user 
ruther than an imposton 

As a result, methods and algorithms that increase the seciiiity of data transmined over 
computer networks and other data links have been developed and deployed with some 
success. The more secure methods tend to include encrypting all or part of the data prior to 
sending it, and likewise deciypting the received data prior to using iL Such encryption and 
decrypdon techniques may, for example, include adding encryption data to the data file, 
and encoding or otherwise transforming tlie data in the data file with a computer system by 
running a **signature algorithm". 

There are currently several signature algorithms in use today. One popular stgnacure 
algorithm is actually a combination of a Message Digest algorithm and an R3 A sncryption 
algorithm (e.g., MD5 wi:h RSA, or MD2 with RSA. or the like). The Message Digest 
with RSA signature algorithm is available from RSA Data Security. Inc. of Redwood City, 
CA. Another popular signature algorithm is ihe DSA encryption algorithm. The DSA 
encryption aigcrithm. which is availabie from the United S:a:es Government, may be used 
for limited purposes by private parties as a signature algorithm. These signacure algorithms 
will be discussed in limited detail t)elow. 
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The Message Digest with RSA algorithm includes the capability to generate a "digital 
- signature" thai can be added to data files. Digital signatures are basically mechanisms 
through which users may authenticate che source of a received data file. A digital signature 
is typically a special sequence of data that can be generated and provided along with a 
related data file to other users. The basic concept behind most signature algorithms is thai 
ervery user ( e.g., individuals, companies, governments, etc.) will have a '*key pair*' that 
Includes both a "private key" and a "public key". A key may, for example, be a numerical 
sequence. The private key is a unique key that is assigned to a single user and intended to 
be kept secret by that user. The private key may be used by the assigned user to create a 
digital signanirc for a data file with a signature algorithm. The public key, on the other 
hand, is typically made available to aU other users. The public key may be used by these 
other users to verify that the digital signature on a received data file is authentic (i.e., that 
the digital signature was created widi the private key). The verification process is 
accomplished with the same signature ajgcrithm. In piinciplc, such a veriJDcaiion process 
may provide a relatively high level of confidence in the authenticity of the source of the 
received data. 

In addition to digital signature generating algorithms, there are also algorithms thai 
may be used to authenticate tJiat the data file has not been corrupted in some manner. These 
. algorithms are typically known as **one-way hash fimctions". One example of such an 
algorithm is the Message Digest, introdoiced above. A one-way hash function usually docs 
not require a key. One-way hash functions typically include additional data that is inserted 
into the data file. As such, when the data f Jc is received the hash fume ti on may be used co 
verify that none of the data within the dara file has been altered since the generation of the 
hash fiinction. However, hash functions are typically limited in that the user may not 
necessarily infer anything about the associated file, such as who sent it. It is noted that 
many signature algorithms use one-way hash functions as internal building blocks. 

For relatively open, unsecui*ed networks such as the Internet, it may be useful for 
users to authenticate received data files prior to using them as intended. Such data files 
may include, but are not limited to, computer programs, graphics, text, photographs, 
audio, video, or other information that is suitable for use within a computer system. No 
m.atter the type of data file, authentication may be accomplished with a signamre algorithm 
or similar type of encryption algorithm as described above. By way of example, if the data 
file is a software program the u.ser may wish to authenticate liat it was sent by a 
trustworthy authority prior to exposing his or her computer system to die software 
program, lest the program include a 'Trojan Horse*' that infects the user's computer with a 
virus. In such a case, the sending user may authenticate the data as described above. 
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Another example is where the race jving user wishes to authenticate a text and/or 
image data file prior to displaying ii on his or her computer screen. This may be useful to 
control the display cf text and imagcii having undesirable contenL For example, parents 
may want to limit any access their children may have to pictures and text relating to adult 
subjects and materials. This can be acconiplislied by verifying diat the data file (e.g., a text 
or image file), came from a uiisted source. Similarly^ providers of 12 xt and image files may 
want to provide a "stamp" of approval or authenticity so as Co control the use of tradenames 
and other intellecmal property. 

Unfortunately, the process of encrypting and decrypting, signing and vetifying, 
and/or generating hash functions places an additional burden on che sending and receiving 
user's computational resources. The burden is compounded for users who send and 
receive several data files. By way of example, the growth of chac aspect of the Internet 
known as the Worid-Wide Web has lead to a tremendous increase in the transfer of multiple 
data, files between users. These multiple data files often include the components or objects 
that constitute an object-oriented sofrware process, such as a Java""*' applet To illustrate 
the potential burden that can be placed on the receiving user's computer resources in such a 
multiple data file transfer, one need only calculate the resulting processing time associated 
with verifying the diigital signatures for each of the files. For example, if an Java™ applet 
included 200 digitally signed Java™ class files (including dam files), assuming that the 
average verification process took about 1 second on a conventional desktop personal 
computer, then the user would have to wait for about 200 seconds after receiving the data 
tiles to use the applet. Such delays may significantly reduce the effectiveness of such a 
computer network: enviroiuncnt. This is especially true for data files relating to a timed 
process, such as streaming audio or video data file in real (or near- real) time. 

Therefore, what is desired are more efficient methods, apparatuses and products for 
securing and verifying the aud^nticity of data files, especially for data files intended to be 
transferred over computer networks. 



SUMMARY OF TfEE ENVTENTION 

The present invention provides noni efficient mediods, apparatuses and products 
for securing and verifying the authenticity of data files, such as data files intended to be 
transferred over computer networks. In accordance with one aspect of che present 
invention, a method for verifying the authenticity of data involves providing at least one 
data fde which includes an identifier and a signature fUc wliich includes the identifier fur the 
data file as well as a digital signature. The digital signature is Lhen verified using a 
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COTiputer system, and the identifier in the data file is compared with the identifier in the 
signature file using the compucer system. 

In one embodiment, the identifier for the daia file includes at least one certificate 
authoricy, si certificate, software publisher identifier, or a site name, and verifying the 
authenticity of data involves setting a security level for at least one of the cerificate 
authority, said site certificate, said software publisher identifier, and said site name. In 
such an embodiment, the data file is downloaded to the computer system, and if the data 
file is an applet and the digital signature is verified, then verifying the authenticity of data 
also involves branding and running the applet accordingly. 

En another aspect of the present invention, an apparatus for verifying the authenticity 
of ac least one data file, wliich includeii an identifier, and a signature file which includes the 
identifier for the data file in addition to a digital signature, includes a verif:er for verifying 
the digital signamre and a comparator for comparing the identifier in the data file with the 
identifier in che signature file. In one embodiment, the digital signature is verified with a 
signature algorithm. In another embodiment, the compararcr includes a one-way hash 
funcuon algorithm. 

In yet another aspect of the present invention, a computer system arranged to verify 
the authenticity of a data file, which includes aii identifier and is associated with a signature 
file that has the identifier for the data file and a digital signature, includes a processor, a 
memory coupled Co the processor, and a verifier arranged to verify the digital signamre and 
compare the identifier in the data file with the identifier in the signature file. In one 
embodiment, the idendfier for the data file includes a: least one of a certificate authority, a 
site certificate, a software publisher identifier, and a site name. In such an embodiment, ±ie 
verifier is further arranged to set a security level for at least one of the certificate authority, 
the site certificate, the software publisher identifier, and the site name. In another 
embodimenL the data file is an applet and the verifier is arranged bcth to brand the applet 
and to run the applet. 

The invention, together with further advantages thereof, may best be understood by 
reference to th.e following description taken in conjunction with the accompanying 
drawings in which: 
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DETAILED DESCRIPTION OF THE INVENTION 

Several embodimeTits of the present invention provide novel methods, apparatuses 
and products that reduce die computational demands placed on both source user computer 
systems and receiving user computer systems by reqtiiring the implementation and the 
verification of only a single digital signarure for an arbitrary number of data tiles. In 
accordance with an embodiment of the present invention the data files need not be 
individually signed. Instead, a separate signature file is created such that when the separate 
signature file is digitally signed and later verified, the data files to vi^hich it corresponds can 
be authcndcatcd without running the signature algorithm for each of these data files. la one 
embodiment, the signanire file includes a list of ''identifiers", such as onc-svay hash 
functions, that are associated with each of the data files to be transferred. As such, tlie 
signature file is essentially the cryptographic equivaient of a digital signatuie for each of the 
data files. 

Thus, with an embodiment of the present invention a user can create a signature file 
tliac includes unique identifiers for each data file. The signature file can be digitally signed 
by using a signature algorithm. The signed signature file and data files can then be sent to a 
receiving user, who can dien verify* the digital signature using the appropriate signamre 
algorithm. Once the digital signature has been verified, the identifiers widiin the signamce 
file can be compared to the identifiers within the data files. If the identifier within a given 
data file matches the corresponding identifier in the signature file, then the data file can be 
verified as being authentic. The receiving user can then proceed to process the verified data 
files with confidence in their authenticity. As a result, computational delays can be reduced 
because there is no longer die need lo digitally sign and later verify the digital signature for 
each of the data files. 

Figure 1 illustrates a networked computing environinent 10, as r^resented by a 
block diagram of a source user computer system 12 coupled to exchange information in the 
form of data with a receiver user computer system 14 over a data link 16. Source user 
computer system 12 can, for example, take the form of a server computer such as a web 
server associated with the IntemeL Likewise, receiving user computer system 14 can, for 
example, take the form of a client system that is networked via data link 16 lo a web sender. 
In such a case, data link 16 can therefore represent a portion of. or the entire, Internet and 
other connected networks. Data link 16 Ccin also represent one or more local area networks 
(LANs), wide area networks (WAN.*i), "intranets" or *'cxtranecs". or other like' 
telecommunication or data ncrworks. 
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Figure 2 illustrates a typical computer system 20 that can be used by either a sending 
user or a receiving user, in accordance with Figure 1. Alternatively, computer system 20 
can be a stand-alone computer capable of receiving data thitxigh computer useable 
products. Computer system 20 includes one or more processors 22, a primary memory 
24, a secondary memory 26, one or more input'output (I/O) devices 28. one or more 
network communication devices 30, and one or more bases 32. 

Processors 22 provide the capability- to execute computer instructions. Processors 22 
can. for example, be microprocessors, central processing units (CPUs) .or microcontroilers 
such as found in many of die desktop, Idptop. workstation, and mainframe computet^ 
available on the market. Processors 22 can also take the fona of conventional or even 
customized or semi-custoinized processors such as those typically used in special purpose 
or larger frame computers, telecomiriunication switching nodes, or other ner«A^orked 
computing devices. Processors 22 are coupled to output data to buses 32 and to input data 
from buses 32. 

Buses 32 are capable of transmitting or otherwise moving data between two or more 
nodes. Buses 32 can, for example, take the form of a shared general purpose bus or can be 
dedicated to transmitting specific types of data between specific nodes. Bu^cii 32 can 
include interface cticuitr>' and software for use in establishing a path between nodes over 
which data can be transmitted. It is recognized diat sornc devices, such as processors 22 
can also include one or more buses 32 internally for tmnsTnicting data between internal 
nodes therein. Data can include processed data, addresses, and control signals. 

Primary memory 24 typically provides for the storage and retrieval of data. Primary 
memory 24 can, for example, be a random access. tnemor>' ORAM) or like circuit. Primary 
mcmor>' 24 can be accessed by other devices or circuits, such as processors 22, via buses 
32. 

Secondary memory 26 typically provides for addidonal storage and retrieval of data. 
Secondary memory 26 can, for example, take the form of a magnetic disk drive, a magnetic 
tape drive, an optically readable device such as a CD ROMs, a semiconductor memory such 
as PCMCIA card, or like device. Secondarj' memory 26 can be accessed by other devices 
or circuits, such as processors 22, via buses 32. Secondary memory 26 can, for example, 
acce.ss or read data from a computer program product including a computer- usable medium 
having computer-readable program code embodied thereon. 

I/O devices 28 typically provide an interface to a user through which data can be 
shared. L'O devices 28 can, for example, take the form of a keyboard, a tablet and stylus, a 
voice or handwriting recognizer, cr some other well-known input device such as, of 
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course, anoQier compurer. I/O devices 23 can also, for example, lake the form of a display 
- monitor, flat panel display, or a printer. I/O deviccii 28 can be accessed by other devices or 
circuits, such as processors 22, via buses 32. 

Nefwork comrrmnicatioii devices 30 typically provide an interface to other computing 
resources and devices, such as other computer systems. Network communication devices 
30 typically include interface hardware and software for implementing data communication 
standards and protocols over data communication links and networks. For example, with a 
network connection, processors 22 can send and receive data (i.e., information) over a 
network. The abovc-dcsciibcd devices and processes will be familiar to those of skill in 
the computer hardware and software arts. 

Figure 3a illustrates an embodiment of an archival data structure 300 in accordance 
with an embodiment of the present invention. Data stmcture 300 rrrcludes a signature Hie 
302 and several data files 304-314. Rles 304-314 can be any digital bit stream, such as, 
for example, Java™ class files, inoage filcs» audio fdes, text files, and even additional 
signature files. 

Figure 3b illustrates an embodiment of a signature tile 302. It should be appreciated 
that in some embodiments, signature file 302 is a header file. In the illustrated 
embodiment, signature file 302 includes at least one identifier 3 16 for each of the data files 
304-314. Optionally, signature file 302 can also contain additional data 318 for each of the 
data files 304-314. For example, additional data 318 can further comprise the inlormadon 
about the name of the file, the author of the file, the dace of the fUc. the version of the file, 
the flic's rating (e.g., movie rating, such as 'TG'*), or any other authenricated data that the 
users may want to include within signature file. 302. 

Signature file 302 further includes an identifier ID 320 and a digital signature 322. 
Identifier ID 320 provides the inforraarion necessary to deCennine the algoriLhm(s) used to 
create the identifiers listed in signature file 302. Digital signature 322 repre(;€nts rhe digital 
signature created for the signature file. The structure of digital signahirc 322 will depend, 
of course, on the signature aigorithm used to create it. 

Figure 4 illustrates a method 400, in accordance with an embodiment of the present 
invention, that includes step 402 for generating one or more data files. S:ep 402 can. for 
example, include using a text program to generate a text file, a recording program to 
generate an audio or video file, a graphics program to generate an image or movie file, a 
programming language to generate a class file or program file, or any other mechanism iha: 
is capable of generating a daui file. 
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Having generated one or more data files in step 402, step 404 includes generating an 
identifier for each of tiiese data files. The identifiers generated in step 404 can. for 
example, be generated by a one-way hash function algorithm, or alternatively can even take 
the form of a cyclic redundancy chectojum (CRC), or the lilce. It is recognized, however, 
that generally a one-way hash function algorithm tends to provide for greater security 
because .such fiincrions cannot be easily or efficiently broken, or othcnvisc reverse- 
engineered. By way of example, one-way hash function algoriihms, such as MD5 and 
SUA are typically considered to be cryptographically secure. Such algorithms will be 
known to those having skill in the computer science art. 

Next, step 406 includes creating a signature file diat lists, or otherwise compiles, the 
identifiers as generated in step 404. A signature file can, for e?<ample. be a text file that 
lists Che identifiers. OpdonaJIy, a signature file can further include, for example, the name 
of each file, the author of each file, the file vcrbion, a daie-stanip for the file, or other data 
relating to each data file. Step 406 can further include one or more programs that inquire, 
trace, select, or otiicrwise gather or render such data from the data files. Step 406 can be 
performed, for example, by processing the data files in a batch mode process to gather the 
appropriate identi:fiers and any additional data. Those skilled in the art will recognize diat 
there can be benefits (e.g., in efficiency) to specifically ordering, grouping or otherwise 
arranging the data listed in the signanire fdc in sotne manner that expedites Lhe steps in 
method 400. For example, it can be useful to group the fdc name or the aulhar along with 
the identifier. 

Once the signature file has been created, step 408 includes digitally signing the 
signature file with a signature algorithm. Examples of suitable signarare algorithms inchade 
a corabtned Message Digest algorithm and RS A encryption algorithm (e.g., fuID5 widi 
RSA, or MD2 with RSA, or the like), or the DSA algoriihra (discussed above). Step 408 
can also include, for example, gerwrating a digital signature for the signature fdc with a 
signature algorithm by way of a public or private key (e.g., see Schncicr, above). 

The sign^ signature file from step 408 is then sent, provided or otherwise made 
available to the receiving user in step 4iO. Step 410 can, for example, include transmitting 
the signed signature file over a data bus. data link, the Internet, or some other computer or 
data communicaticn network or link. In addition it i> recognized that step 4 10 can, for 
exaxiiplt;. include storing thesignamre file in a computer readable medium like a magnetic 
storage media or optical storage media, and moving the signed signature file on the 
computer readable medium from one computer to another cumputer. 



Upon receipt or access, the receiving user in step 412, verifies the authcndcity of the 
signed signature file sent or made available in step 410. 5tep4l2can. for exai:nplc. include 
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verifying the digital signature on the signed signature file with a signature algorithm by way 
- of a key. 

Seep 414 represents a decision wherein the validity of the digital signature as 
determined in step 412 either terminates or continues method 400. While depicted as 
interrupting or otherwise preempting method 400. it is lecognized that step 414 can also 
include invoking another process, such as an alann or notiFication process, or log process, 
that in some way records or identifies, or otherwise addresses that that verification of die 
signed signature file in step 412 failed. 

If the decision in step 414 is that the file is valid (i.e., authenUc), then the process 
continues to stcp4l6 which includes storing at least the identifiers from the signanire file. 
In Goe embodiment of the present invention, die identifiers are stored in a secure location. 
A secure location can, for example, be the RAM of the receiving computer system since 
this memory is readily cleared when the process is completed. Alternatively, the identifiers 
can be stored to a disk or tape drive wherein diey can be retrieved at some later stage. 
Those skilled in the art will recogni2e that various data storage devices and other computer 
system configurations pose var>'ijig and potential security risks (i.e.. some storage devices 
will be more secure than others). It is also recognized that additional security measures, 
such as encryption and file access privileges, can be used to further secure or increase the 
trustworthiness of the signature file as stored in step 414. 

Once the identifiers have been stored in a secure location in step 4 1 6. then the data 
file or data files whose identifiers were Usted in the signamre file in step 406 can then be 
processed in accord with a loop as represented in step 418. Step 418 can, for example, 
include a counter mechanism that iteraUvely controls the number of times that step 420 wiU 
be entered into based on the number of identifiers hsted in the signature file. For example, 
if there are "n" number identifiers listed in the signature file (i.e.. dicre are n data files to be 
loaded), then an iterative loop can count up from i =1 to 1 = n, or alternatively down from i 
= n to i = 1 . or otherwise determines when all of the data files have been loaded, or that 
loading has been attempted, in accord with tlic remainder of the steps in method 40G as 
presented below. 

Step 420 includes loading the i" data file. Step 420 can, for example, include any of 
the methods in step 410 to cither download, upload, broadcast, or otherwise move the i"^ 
data file from one location :o another location. Ones the i'" dau file has been loaded, step 
422 includes providing, computing or generating the identifier for the i* data file with the 
appropriate identifier algorithm (for that data file). 
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Next, step 424 includes comparing the identifia: provided in step 422 with the 
identifier listed, for the i'** data file, in the signature file which was stored in step 416. If 
the identifiers match then the i** data, file is verified as authentic. If die identifiers do not 
match then the i* data file is considered not to have been verified. 

Step 426 rcpi-csents a decision wherein the validity of die identifier, as determined in 
step 424, either ircenupcs or concinucs the iterative loop of step 418. If the identifier for 
the i* data file has been verified in step 424, tlien step 426 continues the iterative loop of 
step 418 by proceeding to step 428 which includes marking, or otherwise recordhig or 
establishing in some manner, that the i* data file has been verified as being authentic. Step 
428 can, for example, include modifying or marking the i* data file as having been signed 
by the source user. 

If, on the other hand, the identifier for the i" data file is not verified as authentic in 
step 424. then step 426 interrupts die iterative loop of step 418 by proceeding to step 430. 
Step 430 includes interrupting the iterative loop of s:ep 41 8 in some manner so as to avoid 
step 428 and to pnxeed back to step 418. Step 430 can, for example, include ignoring the 
i* data file. In addition to step 430, other steps can be included in metliod 400 to somehow 
record or otheru'ise identify that the i* data file is not authentic. 

Thus, with the data structure and steps above, a user who is sending several data files 
will likely reduce the associated processing time because rather than having to generate a 
separate digital signature for each data file, the sending user need only create a signature file 
and digitally sign that file. Likewise, with the data structure and steps above, the user who 
is receiving several data files will likely reduce the associated processing time because 
rather having to verify each data file aa being auti^ntic by decrypting an associated digital 
signature, the receiving user need only verify that die signature file is authentic. Such a 
hybrid verification process .substantially strczimlines the signature and verification 
processes. As a result, data files may he digitally signed, and later authenticated and 
processed in less time. 

Additionally, step 430 can lead to optional step 432 which aborts the attempted load, 
and/or to optional step 434 which alerts or otherwise warns of the failure to vcrif>' 
authentication in step 424. Once steps 430, and optionally 432 and/or 434, have been 
completed then method 400 returns to step 4 18 lo complete the iterative loop therein. Once 
the iterative loop of step 41 3 has been completed, then method 400 is ended. 

In one embodiment of the present invention, for each signatory authoritv, a 
certificate is created, i.e., the unique identifiers which are listed in a signature file are 
embodied as certificates. In general, the certificates arc tokens chat a site, which is typically 
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either a source user computer system or a receiving user computer system, can use to 
identify itself. Several sites can be associated with a single certificate. AJiematively, 
several certificates can be associated with one site. 

A source userconipuieT system and a receiving user computer system can be 
configured to exchange not only data files but compuier software in the form of ''applets/' 
such as those written in the Java™ programming language available from Sun 
Microsystems of Mountain View, California. "Applets" as used herein are software 
programs that are configured to be passed from a source computer, typically a server, to a 
client machine and run in conjunction with software, as for example browser software, 
already ins tailed on tiie client. In the described embodiment, applets are instantiated from 
class files, which are grouped tDgD±er into an archival data structure as described above 
with respect to Figure 3a, that are dov^Tiloadcd from a source computer, or a server, to a 
client machine. Typically, applets provide additional functionalities to browse software by 
performing various computational tasks which the browser software itself is not configured 
to perform. Thus, users who download applets can provide the browser software with 
additional functionalities that are not otherwise available to the browser software. Such 
additional capabilities can include, e.g.» custom interfaces to a database. 

A security manager associated with a browser can be used on cither a source 
computer or a client machine to control operations which arc accessible to given applets, as 
for example a Java**^ applet. In other words, a security manager can be used to control the 
actions which an applet is allowed to perform, or odierwise extend privileges to applets. 
Although the actions which an applet is allowed to perform can be widely varied, in 
genera), the actions are read and write actions. Within a security manager, different 
security levels can be implemented to provide a user with the flexibility to set permissions 
for different certificates and sites associated with an applet Generally, a user can select a 
particular certificate or site, or a group of certificates and sites, and sec the security level for 
his selection. 

Using a security manager to implement security levels generally entails identifying 
which applet actions are considered to be secure, safe, or tmsted, as well as applet actions 
which are considered to be unsecure, unsafe, or not tmsted A secure action is generally an 
action which is not considered to have serious potential for jeopardizing system security or 
for corrupting information stored on a client or a scr\'er. By way of example, a secure 
action can be a read-only action, or a read-only action for a particular directory. On thic 
other hand, an unsccux action is generally any action which has potential for violating 
system security or fur damagiDg information stored on a client or a server. Unsecure 
actions can include, but are not limited to, writing acdons, deleting actions, lenaniing 
actions, and even reading actions which request access lo sensitive documents. Unsecure 
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actions can further include requests to establish connections to remote sites which are 
protected. 

ill one «nbodirnent of the present invention, a browser which can run Java™ applets 
as for example a HcxJava"^ browser (available from Sua Microsystems of Mountain View, 
California), has a security manager wiili securiry levels which include a high security level, 
a medium security level, a low security level, and an untaisccd level. A high security level 
essentially enables applets to run with a set of safe actions, or constraints, while blocking 
any unsafe actions. In the described embodin-jent. the high security level enables applets to 
perform most actions which are considered to be safe, e.g., trusted, while denying access 
for any actions which are considered to be unsafe, e.g., not trusted. 

A medium security level can be used to enable applets to run with safe consttainis, 
while providing users with the ability to grant permissions for actions which can potendally 
be unsafe. With a oiedium security level, a user can be warned through a aser interface of 
on action which may not be a safe, e.g., aiJowable, action. In the described embodiment, a 
dialog box which describes the acLiviiy appears, and the user isprompted to either grant or 
deny permission for die potentially unsafe action to be executed. A low security level 
aJlows applets to run with minimal constraints, and in the described embodiment, docs not 
warn the user of potentially unsafe actions. An untrubted security level is used to identify 
certificates and sites which are known to be unsafe. 

Referring r^ext to Figure 5, the steps associated with setting security levels in a 
security manager will be described in accordance with one embodiment of the present 
invention. In one embodiment, the security levels, also known as levels of crust and 
verification settings, ar>; the high security level, the medium security level, the low security 
level, and the unu^sted security level, as previously described. .Although the security 
levels can be set by a user through the use of a suitable graphical user interface (GUI)* it 
should be appreciated that any suitable method can be used to set securic>' levels. 

The process of setting security levels in a securit)- manager 500 begins, and in step 
502, security levels for the certificate authority arc set. The certificate audiority enables 
different security levels, or priorities, to be applied Co both individual ceniifitaies and 
groups of certificates. In general, the certificate autliority can include, but is not limited ro, 
information which i-dentifies how a particular certificate is to be a^^ed. By way of example, 
a certificate authcsricy can be set to enable one certificate to '*vouch"for, or authenticate, 
other certificates. 



After the security levels for the certificate autliority arc set. ihen the security levels for 
site certificates are se: in step 504. Site ccnificates are cenitlcatcs which a given site can 
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use to initiate a secure connection over which a transaction can bc made. Security levels for 
site certificates generally involve specifying secure socket layer (SSL) standard protocols 
and security permissions which can be used to authenticate connections over which secure 
transactions are to occur. Such secure cornmunications technologies can be used to identify 
rogue, or potentially unsecure, sites and, hence, provide more secure channels over which 
tran.smissions can bc made by avoiding corainunicaLion with such sites. 

In step 506, security levels for software publishers are set. It should be appreciated 
that in intranet environments, software is typically not published with certificates, as an 
intranet environment is usuaUy considered to be a secure environtnent Hence, software 
published witliin such a secure environment is generally assumed to be secure. However, 
for CQvironments in which software is published with certificates, as for example in internet 
environments, the certificates can be used to determine if software code associated with the 
certificates is trusted for browser execution. 

Security levels for site names arc set in step 508. The process of setting security 
levels for site names is essentially the same as the process for setting software publishcn, 
except that when a security level is set for a site, the security level is applied to elU software 
associated with the site. Setting site name permissions generally cnaiblcs software without 
certificates to be tested with little risk of tampering with system resources. Then, 
certificate types are set in step 510. Setting certificate types can entail determining how 
certificacss are to be used, and choosing authorities for the certificates based upon how the 
certificates are expected to be used After the cenificate sites are set in step 510, the 
process of setting security levels is completed. It should bc appreciated that the order in 
which the security levels are set can bc widely varied depending upon the lequiremencs of a 
particular security manager. 

In some embodiments, additional "advanced" settings can be used to set security 
levels. In one embodiment, advanced settings are granularity controls which a user can 
modify through a GUI or similar interface enables the user to set specific, customized 
security levels for individual certificate authorities, site certificates, software publishers, or 
site names. Further, advanced settings can also be configured to enable a user to customize 
a security level for a group of certilicate authorities, site certificates, software publishers, or 
site names. Advanced settings thus generally provide for flexibility in controlling security 
lewels and in overall certificate -handling. By way of example, tlirough the use of advanced 
settings, a user can set a particular site certificate to a medium security level, while also 
specifying that the security permissions associated with ihe site cenificaie be limited to only 
allowing read access. En addition, advanced settings can also be used to override 
specifications at given security levels, e.g., advanced settings can be ased to grant 
permissions which are not normally allowed at a given security level. 
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In the described embodiment, advanced settings are provided such char in addition to 
the high security level, the medium security level, the low security level, and the unlrustcd 
security level which were previously discussed, additional options are available to enable a 
user to select specific pemiissLons for a site certificate, for example, which can be 
impleinented in addition lo selected security levels. These specrtlc permissions can include, 
but are not lirrutcd to, allowing an applet to open windows without providing a warning 
message to a user, allowing an applet to automatically launch local applicadons with or 
without a warning dialog, allowing an applet to access all propcitics without providing a 
warning dialog, and allowing an applet to begin e\ccudon without providing a warning 
dialog. 

Figure 5a is a diagrammatic representation of a browser interface which illustrates 
advanced settings in accordance with an embodiment of the present invention. As 
previously mentioned, advanced settings are used to select specific permissions which can 
be enabled or disabled in addition to the security levels provided with the browser interface. 
Although browser interface 560 can be any suitable browser interface 560, in the described 
embodiment, browser interface 560 is a basic representation of a HoLJava™ browser. As 
shown, browser interface 560 includes an advanced settings display window 564. A first 
region 568 of display window 564 lists sites and certificates 570, as well as groups of sites 
and certificates, for which security permissions can be customized- "Applet Permissions" 
572, 'Tile Access** 574, and "Nenfc'ork Access" 576 are among permissions which can be 
customized. In the described embodiment, a selection 580 indicates that permissions for 
File Access 574., i.e., files which an applet is allowed to access, are to be set. 

A second sub-region 582 displays fdcs and directories 584 which, when selected,, an 
applet with the selected settings, i.e., settings determined using the Applet Permissions 572 
conunand, is allowed to read from. Similarly, third sub-region 588 displays files and 
directories 590 to which an applet with suitable permissions is allowed to write. Additional 
selectable options, as for example a 'Warn before granting access to other fJes" option 594 
or a **Wam when applet tries to delete a fjc" option 596 can further enable a user to 
customize security options. 

Figure 6 is a flow chart which illustrates the .steps associated with one process of 
executing an applet that uses verification settings in accordance with one embodiment of the 
present invention. The process of Implementing verification settings begins, and in step 
602, an applet is downloaded to a local machine on which :he applet is to be executed. In 
the described embodiment, downloading the applet entails downloading ac least pan of the 
archive file, or archival data stiuciure, that contains the class files from which the applet can 
be instantiated After the applet is downloaded, a signed archive stream is received in step 
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604, Li the described embodiment, the archive stream contains a digitaj signature that is 
associated with a Java™ archive file. 

In step 606, a determination is made regarding whether the signature in Lhe signed 
archive streara is valid, i.e., whether the signature is known and acceptable. It should be 
appreciated that the signed archive stream is one embodiment of the signed signature file 
which was previously described. The determination of whether the signature in the archive 
stream is valid can entail systematically checkJng a chain of authorities, e.g., certificates, in 
a signature file until a known authoriry is found. The known authority is then checked for 
validity. By way of example, a certificate *W can be vouched for hy a certificate "B," 
which is known to be a valid certificate. Hence, as cenificate *'B" is known to be vaiid, 
certificate "A" can then be assumed to be valid. 

If the detErmi nation is that the signature is valid, then process flow proceeds to step 
60S in which the applet is **brandcd." Branding, or marking, an applet generally refers to 
attaching a signer to the applet, or attaching an identifier to the ^let which can be used to 
identify ihe validity of the applet. Once the applet is suitably branded, the applet is 
executed, or run, in step 610, While the applet is running, various actions within the applet 
are called. 

A determination is made in step 612 regarding wh^hcr the applet has fmishcd 
running. In other words, it is dctttmined whether each action associated with the applet 
has cither been executed or been disallowed from executing, as will be described below. If 
it is determined that applet execution has been completed, the process of executmg an £^let 
ends. If it is determined that the applet execution has not been completed, then in step 614, 
it is determined whether the applet action triggers a security check. That is. in step 614. a 
determination is made regarding whether a particular applet action falls within those actions 
determined to be potentially harmful to a user's system security. Such actions will be 
familiar to those of skill in the computer arts, and. more specifically, to those of skill in the 
computer security arts. By way of example, actions which are potentially harmful to the 
user's system security can include, but are not limited to, unrestricced write access, 
modification of system resources, and open transmission to other systems. 

If the applet action triggers a security check, then ihc brdnd placed on the applet in 
step 608 is compared with security settings, or pennission levels, which were previously 
provided by a user in step 616. In some embodiments, comparing security settings with 
the brand on the applet involves a consultation with a user through a user interface. In such 
embodiments, :hc user can authorize a bypass of security settings, i.e., the user can 
override the security settings to either allow or deny a particular action. From step 616. 
process control pruceeds to step 618 which is the determinaiion of whe:her security is 
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satisfied for the applet action. If secudiy is satisfied, either by virtue of the fact that the 
brand placed on the applet compares favorably with the security settings, or by virtue of the 
fact that the user has authorized the applet action, then the applet action is allowed in step 
620. Process control then rttumii lo step 610, and the continued execution of the applet 
On the other hand, if security is not satisfied in step 6 1 3, then the applet action is 
disallowed in step 622. After the applet action is disalJowed, process control returns to 
step 610 in which the applet continues to run. 

If the applet action docs not trigger a security check in step 614, then process flow 
letums to step 610 in whidi the applet continues to run. Process flow continues :o loop 
between steps 610 and 614 until either the applet has finished executing, or a detemuiiation 
is made in step 614 that the current applet action triggers a security check, :n which case 
process control proceeds to step 618 as previously described 

Returning to the check for signature validity in step 606, if a determination is made 
that the signature is not valid, then the archive is considered to be unsigned, and process 
flow proceeds to step 624 which is the determination of whether the unsigned stream 
should be accepted. In the described embodiment, the determination of whether the 
unsigned stream should be accepted is made by a user through the use of a user interface. 
By way of example, the user can be prompted with a warning dialog which radicates tliat 
while the stgnatiire was not valid, he can make the decision to run the applet. If the 
determination is made that the unsigned stream is to be accepted, process flow moves to 
step 608 in which the applet is branded as appropriate, e.g., branded lo indicate that the 
stream associated with the applet is unsigned If the determination in step 624 is that the 
imsigned stream is not to be accepted, then die applet is stopped, or prohibited, from 
running in step 626, and the process of executing an applet ends. 

Referring next to Figure 7, the steps associated with establishing a connection across 
a computer network will be described in accnrdiance with one embodiment of the present 
invendon. The process of making a connection 700 begins at step 702 in which the desired 
connection is defined. In the described embodiment, defining the desired connecuon 
entails specifying a universal reference language (URL) address for the site to which a 
connection is desired After the connection is defined, communication ;s established with 
the site to which a connection is desired in step 704. 

From step 704, process control proceeds to step 706 in which a determination is 
made regarding whether the site requires a secure connection. In one embodiment, a secure 
connection is a connection over a secure socket layer (SST..). as will be appreciated by those 
skilled in the art. If it Ls decermined that a secure connection is not recuired, a connection to 
the site is made in step 708, and the process of establishing a cormeclion is completed. 
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If it is dciOTTiined that the site requires a secure connection, then in step 710, it is 
determined whether the site certificate associated with the site is valid. It should be 
appreciated that a valid site certificate is not necessaiily a trusted site certificate, as a site 
certificate can be a valid certificate for a site that is not trusted, or is known to be unsafe. Lf 
the site certificate is valid, then process flow moves to stop 712, which is the determination 
of whether the site certificate is crusted. If the dctcrniination is that the site certificate is 
trusted, then process flow proceeds to step 708 in which a connection is naade to Che site. 
Alternatively, if the dctenninanon is chat the sice certincace is not trusted, then in step 7 14, 
die communication which was established with the site (in step 704) is terminated. 
vSirailarly, if it is detertnined in step 710 that die site certificate is not valid, then 
communication with the siie is terminated in step 714. 

The embodiments of the present invention as described above employs various 
process steps involving data stored in computer systems. These steps are those requiring 
physical manipulation of physical quantideb. Usually, though not necessarily, these 
quantities take the fonn of electrical or magnetic signals capable of being stored, 
transferred, combined, compared, and oti:ierwi5c manipulated. It is sometimes convenient, 
principally for reasons of common usage, to refer to these signals as bits» values, elements, 
variables, characters, data structures, or the like. It should be remembered, however, that 
all of these and similar lerms arc to be associated with the appropriate physical q\zantities 
and are merely convenient labels applied to these quantities. 

Furtiicr. the manipulations performed are often referred to in terrais such as 
generating, calculating, computing, marking, ignoring, aborting, alerting, verifying, 
signing, sendmg, receiving, creating, iterating, idet^tifying, running, or comparing. Iii any 
of ihe operadons described herein that form part of an embodiment of the present invention, 
these operations are machine operations. Useful machines for pertbnriing the operations of 
an embodiment of the present invention include general purpose digital computers or other 
similar devices. In all cases, there should be borne in mind the distinction between the 
method of operations in operating a computer and the method of computation itself. An 
embodiment of the present invention relates to method steps for operciting a computer in 
processing electrical or other physical signals to generate odier desired physical signals. 

An embodiment of the ptiesent invention also relates to an apparatus for performing 
these operations. This apparatus may be specially constructed for the required purposes, or 
it may be a general purpose computer selectively activated or reconfigured by a :;omputer 
program stored in the computer. The processes presented herein are not inherently related 
:o any particular computer or otlicr apparams. In panicular, various general purpose ■ 
machines may be used with programs wrincn in acconlance with the teachmgs herein, or it 
miiy be more convenient to construct a more specialized apparatus to pexform the required 
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method steps. The required siructure for a variety of these machines will appear from the 
description given above. 

In addition, an embodiment of the present invention further relates to computer 
readable media that include program instruccious for performing various computer- 
inaplemented operations. The media and program instructions may be those specially 
designed and constructed for the purposes of an embodiment of the present invention, or 
they may be of the kind well know-n and available to those having skill in the computer 
software aits. Examples of computer- readable media include, but are not limited to, 
magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as 
CD-ROM disks; magneto-optical media such as floptical disks; and hardware devices that 
arc specially arranged to store and perform program instructions, such as read-only 
memory devices (ROM) and random access memory (RAM). Examples of prpgram 
instructions include both machine code, such as produced by a compiler, and riles 
containing higher level code that may be executed by the computer using an interpreter. 

Although the foregoing invention has been described in some detail for purposes of 
clarity of understanding, it will be apparent that certain changes and modifications may be 
practiced within the scope of the appended claims. For instance, the identifiers or signature 
algorithms may be further selected, modified or oiiierwise Linnited in use so as to adhere to 
export regulations. This is especially true for computers networked to provide for the 
global exchange of data files. 

In addition, steps involved with establishing a cormection to a site, as weD as steps 
involved with executing an applet which uses verification settings, may be reordered. 
Steps may also be removed or added without departing from the spirit or the scope of the 
present invention. 

Further, although only a few security levels have been specified, it should be 
appreciated that the security levels can be widely varied in accordance with the requirements 
of a particular computer system. Therefore, the described embodiments should be taken as 
iOustrative and not restrictive, and the invention should not be limited to the details given 
herein but should be defined by the following claims and their full scope of equivalents. 
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FIGLiyE I illustrates a nefwrked computi 



ng environment. 



HGURE 2 ■Uu.trates a typical computer system for use w.th the network-d 
compuung environment in Fi^re 1, 

si ^ r^'r?^. ^ ^rn^odlrn... of an archival data struct.... including a 

Signature nie. for use with an cmboditaent of the present invention. 

HGURE 3b iUustrates an enbodiment of a signature nie. for use with an 
embodiment of the present invention. 



I security manager in accordance with an embodiir.ent of the 



present invention. 



HGURE 5a is a diagrammatic representation of a browser interfece which illustrates 
advanced settings in accordance wich an embodiment of the prese..t invention. " 

whtch uses venficaticn settings in accordance with an embodiment of thc present inCantion. 

HGURE 7 is a flow chart which illustrates tl-.e steps associated with establishin.^ a 
ccnr.ect.on across a computer network in accordance with an embodiment of the preset 
invention. ^ 
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1. Abstract 

ABSTRACT OF THE DISCLOSLllE 

Methods, apparacuses and products ore provided for establishing and verifying :he 
authenticity of daca wlchin one or more data files. In accordance wich one aspecc of (he 
present invention, a method for verifying the auchencicicy of data involves providing at least 
one daca file which includes an idenciJier and a signature rile which includes the identifier 
for Che data tile as well as a digital signaoire. The digital signature is then verified using a 
computer system, and the identifier in the daca file is con-ipared with the identifier in the 
signature file using the computer system. In one embodiment, the identifier for the data file 
includes at lease one cenificate authority, site certificate, software publisher identifier, or a 
site name, and verifying the authenticity of data involves serring a security level for at least 
one of the ceaificate authority, said sice certificate, said sofrvare publisher identtfter, and 
said site name. 
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